limit max entropy to 1024 bytes, at which point we've reached the max size of the checksum

Author: rubensayshi

index.js

@@ -42,6 +42,9 @@ function mnemonicToEntropy (mnemonic, wordlist) {
     return lpad(index.toString(2), '0', 11)
   }).join('')
 
+  // max entropy is 1024; (1024×8)+((1024×8)÷32) = 8448
+  assert(bits.length <= 8448, 'Invalid mnemonic')
+
   // split the binary string into ENT/CS
   var dividerIndex = Math.floor(bits.length / 33) * 32
   var entropy = bits.slice(0, dividerIndex)
@@ -64,7 +67,7 @@ function entropyToMnemonic (entropy, wordlist) {
 
   var entropyBuffer = new Buffer(entropy, 'hex')
 
-  assert(entropyBuffer.length && entropyBuffer.length % 4 === 0, 'Invalid entropy')
+  assert(entropyBuffer.length > 0 && entropyBuffer.length <= 1024 && entropyBuffer.length % 4 === 0, 'Invalid entropy')
 
   var entropyBits = bytesToBinary([].slice.call(entropyBuffer))
   var checksum = checksumBits(entropyBuffer)

test/index.js

@@ -85,6 +85,15 @@ describe('BIP39', function () {
         e = _e;
       }
       assert(e && e.message === 'Invalid entropy');
+
+      var e;
+      try {
+        BIP39.entropyToMnemonic(new Buffer(new Array(1028 + 1).join('00'), 'hex'));
+        e = null;
+      } catch (_e) {
+        e = _e;
+      }
+      assert(e && e.message === 'Invalid entropy');
     })
   })